Rule Category

POLICY-SOCIAL -- Snort has detected a violation of the corporate policy. Similar to an IOC, this activity may not be directly malicious, but could be a symptom of compromise, or of a misuse of the network. Examples are cryptocurrency mining and strade (Bitcoin, et al). The ISP won’t block these, but corporate policies likely prohibit them. In this case, Snort has detected a violation of social media policy. Some companies choose to disallow some or all social media, or to only allow in-network social sharing. This can prevent simple productivity loss or serious NDA breaches (sharing of files from the internal network, etc.).

Alert Message

POLICY-SOCIAL IRC K-line active

Rule Explanation

This event is generated when network traffic that indicates POLICY-SOCIAL IRC K-line active is being used. Impact: Possible policy violation. The use of POLICY-SOCIAL IRC K-line active may be prohibited by corporate policy in some network environments. Details: This event indicates that the POLICY-SOCIAL IRC K-line active is being used on the protected network. Ease of Attack: Simple.

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

CVE Additional Information